Example init.xml File

The following is an example of a typical init.xml file:

Copy 
<ConnectorGateway> 
  <SM>
    <!-- Agent Hostname or IP Address-->
    <hostname>xx.xx.xx.xx</hostname>
    <!-- Agent port number-->
    <port>2980</port>
    <!-- Default value is IBM1047 -->
    <characterSet></characterSet>
    <!-- Flag indicating whether the TLS communication is enabled between CG and Mainframe Agent --> 
    <enableCGtoAgentTLS>true</enableCGtoAgentTLS>
    <trustStore>C:\Java\jre1.8.0_144\lib\security\cacerts</trustStore>
  </SM>
  <Server>
    <!-- Connector Gateway port number-->
    <port>2980</port>     
    <enableCGtoPE2TLS>true</enableCGtoPE2TLS>
    <keyStore>C:\Users\UserName\Desktop\Certs\keystore.jks</keyStore>
    <keyStorePass>ij2Hn20pTsyGbV9vum4/3w==</keyStorePass>
    <keyPass>ij2Hn20pTsyGbV9vum4/3w==</keyPass>
  </Server>
</ConnectorGateway>

The parameters of the init.xml file are as follows:

SM Entries

Hostname of the ACF2 Connector

(Agent port number) Port number of the ACF2 Connector.

This connection requires a read/write port, so be sure that the defined port+1 is reserved for this connection. For example, the port number in a given init.xml file is 2470, so ports 2470 and 2471 must be reserved for the connection to the ACF2 Connector.

The Provisioning Engine encodes all the messages from ASCII to EBCDIC by using the IBMCharacterSet defined in the application.

The Connector Gateway needs to decode only the header message before sending it to the ACF2 Connector.

The characterSet value in the Connector Gateway and IBMCharacterSet in the application must be the same.

Default – IBM1047

To enable TLS communication between the Connector Gateway and the ACF2 Connector, the Connector Gateway must validate the CN of the subject of certificate against the value provided in the agentCertSubject parameter in the init.xml file. Set the agentCertSubject parameter using the following command:

java -jar ConnectorGateway.jar -agentCertSubject <VALUE>

Important
The value of the agentCertSubject parameter must not be set within the init.xml file; it should be set only by using this command.

For example:

java -jar ConnectorGateway.jar -agentCertSubject CertSubject

By running the command to set the agentCertSubject parameter, the Connector Gateway encrypts the value and stores it in the init.xml file under the <SM> tag as follows:

<agentCertSubject>ENCRYPTED_VALUE</agentCertSubject>

If agentCertSubject is not specified, then the Connector Gateway validates the CN of the certificate subject against the FQDN of the machine hosting the ACF2 Connector.

The hostname verification functionality is configurable and can be disabled by setting the value of the disableHostnameVerification parameter to true in the init.xml file as follows:

<disableHostnameVerification>true</disableHostnameVerification>

When set to true, the Connector Gateway does not validate the subject name (in reference to the agentCertSubject parameter).

Default value is false

When TLS communication is enabled between the Connector Gateway and the ACF2 Connector, you can configure clientProtocols for a specific supported TLS version on the Connector Gateway environment. This parameter provides a configurable option in the init.xml file which eventually sets the jdk.tls.client.protocols system property:

<clientProtocols>TLSv1.2</clientProtocols>

The default value is decided based on the JRE version available on the Connector Gateway and Mainframe environments.

Enables FIPS for the Connector Gateway. The default value is false. To enable FIPS, the value must be set to true in the init.xml file as follows:

<enableFIPS>true</enableFIPS>

For more information on enabling FIPS, refer to Enabling FIPS for Connector Gateway.

(Applicable only if enableFIPS is enabled) Provide the truststore password. The encrypted value must be provided in the init.xml file as follows:

<trustStorePassword>Encrypted_Value</trustStorePassword>

Server Entries

(Connector Gateway port number) Port number of the Connector Gateway. This connection requires a read/write socket on the defined port, so be sure that the defined port is reserved for this connection. For example, if the listening port number under the server entries in a given init.xml file is 2980, port 2980 must be reserved for the connection to the Connector Gateway.

(Optional) The Connector Gateway, by default, sends a keep-alive message only over the ACF2 connector and the interception connection channel. If you want the Connector Gateway to send the keep-alive message to all the active SailPoint / ACF2 Connector connections, add the following parameter to the init.xml file in the Connector Gateway:

<send_keep_alive_to_all>true</send_keep_alive_to_all>

By default, the value of this parameter is false.

If TLS and TRACE level logging are enabled at the Connector Gateway then the Connector Gateway prints Java's SSL logs. If the Connector Gateway is running as a command line, then logs are printed on the console. If the Connector Gateway is running as a service (on Windows only) then logs are printed in a stdout.log file in the Connector Gateway's log directory.

To disable SSL logs, add the disableSSLLogs parameter in the Connector Gateway's init.xml file the under the <Server> tag. The default value is false.

For example:

<disableSSLLogs>true</disableSSLLogs>

This is used to store the encryption/decryption key. The encryptionKeyFile path must be added in the init.xml file as follows:

<encryptionKeyFile>path</encryptionKeyFile>

For example:

<encryptionKeyFile>C:\FileName</encryptionKeyFile>

The key length should be 16, 24, or 32 bytes

Note
If encryptionKeyFile is not provided or the length is anything other than the specified bytes, then the Connector Gateway encrypts and decrypts sensitive data by using the default key. Ensure you recycle the keys and secure this file by giving proper access control.

Maximum number of transactions simultaneously handled by the Connector Gateway.

Add the maxActiveTransactions parameter in the init.xml file under the <Server> tag as follows:

<maxActiveTransactions>value</maxActiveTransactions>

For example:

<maxActiveTransactions>20</maxActiveTransactions>

The default value is 10.